Getting into the swing of POPI

Keeping track of the latest version of impending legislation as it makes its
way though the South African parliamentary system can be a nigh on impossible
task. So prepping your business for upcoming law – such as the Protection of
Personal Information (POPI) Bill – can be a challenging and stop-start affair.

Over the last few weeks, we’ve received further clarity on POPI and its key
definitions, allowing businesses to confidently start laying the foundation for
regulatory compliance in continuing to market to their customers and prospects
via electronic communication channels.

POPI refers to how companies collect and store consumers’ personal information,
and then, crucially, how companies can use this information to market to
consumers. The good news is that it is a relatively simple matter to ensure
your existing customer database is compliant and that any future details you
collect are legal.

Key to understanding POPI is section 69 of the bill which deals with
unsolicited commercial communications and direct marketing – which we’ll unpack
in a bit more detail here.

Which communication channels are affected

In line with international best practice, POPI applies to electronic
communications that involve a level of automation, storage and forwarding. This
means that SMS and email are included in POPI’s definition of electronic
communications, but regular person-to-person (P2P) telephone calls are not.
This is pertinent, because it recognizes that the automation of communication
is one of the main reasons why spam has become such an issue and needs to be
managed via legislation. The point to take home here is that direct marketing
via a P2P telephone call is handled on an opt-out basis, while all other
electronic communications must be opted into by a consumer.

Customers and prospects opt-in are handled differently

The bill makes a distinction between how existing customers’ and prospects’
personal data is handled in respect to opt-in to receive direct marketing
communications. A business’s existing customers need only to have given
inferred consent to be sent direct marketing via electronic channels, while
prospective customers (that is non-customers) need to have given express
consent before receiving the same communications.

Getting inferred consent from customers

Inferred consent means that you have informed your customer how you will be
using their personal details when you collected them. In addition, you need to
give them the opportunity to opt out of marketing communication at this point.

Customers should also be given the opportunity to opt out of marketing
communications on each subsequent communication you send to them. The opt out
instructions need to be clear and the process must be free of charge and not
bogged down in unnecessary formality.

If you have not done this yet, you can relatively easily get your customer
database compliant with POPI. The key is to get consent at the point when you
collect the customer data, which is not necessarily at the point of sale. By
running a campaign to update your customers’ details you should, at the same
time, inform your customers that you will be marketing to them and give them
the opportunity to opt out. This process will make your database POPI compliant.

Getting express consent from non-customers

POPI is the first regulation in South Africa to define express consent for
non-customers in order to market to them directly via electronic channels. This
means that the consumer must agree to their personal information being
processed and used for direct marketing. In terms of POPI, consent needs to be
specific, voluntary and informed. In other words, at the point when a
non-customer is engaged, the following should be asked: “Would you like to
receive regular marketing communications from company A? Answer: YES or NO”.

However, ensuring existing non-customer databases are retrospectively made
compliant needs to be handled with kid gloves. If you can prove the database
has been acquired legally you are free to contact the consumers and ask for
their permission to market them – but you can only do this once.

While there are additional technicalities around the wording of opt out
messages and related charges, the above guidelines will ensure your databases
are POPI compliant.

It is expected that POPI will be passed into law within the next six months, at
which time it will be specified how long companies will have to comply with the
handling of personal information when using electronic communications to market
to existing and prospective customers.